Vulnerability
A weakness in software, firmware, hardware, or configuration that could be exploited by an attacker. Vulnerabilities are especially persistent in IoT, OT, and IoMT devices where patching is impractical.
What is Vulnerability?
A weakness in software, firmware, hardware, or configuration that could be exploited by an attacker. Vulnerabilities are especially persistent in IoT, OT, and IoMT devices where patching is impractical.
A vulnerability is a weakness in software, firmware, hardware, or configuration that could be exploited by an attacker to gain unauthorized access, disrupt availability, or cause unintended behavior. Vulnerabilities are an inevitable byproduct of software development complexity: every sufficiently complex system has flaws, and security researchers, vendors, and attackers continuously discover them. The security challenge is not eliminating all vulnerabilities — that's impossible — but managing them intelligently.
In IoT and OT environments, vulnerabilities are particularly difficult to manage because the standard response (patch it) is often impossible. Medical device firmware vulnerabilities may not have patches available for 6–18 months after disclosure. OT system vulnerabilities may require maintenance windows that don't exist on a short timeline. Legacy devices running end-of-life software will never receive patches. The existence of a vulnerability in these environments doesn't automatically mean it can be remediated; it means it must be managed through risk prioritization and compensating controls.
The volume of vulnerabilities across a typical enterprise makes the management challenge acute. A medium-sized organization with 20,000 connected devices may have hundreds of thousands of open CVEs. Without prioritization, this backlog is paralyzing. With risk-based prioritization — combining CVSS severity, KEV status, EPSS probability, asset criticality, and network exposure — the backlog resolves into a manageable set of urgent items and a larger set of deferred or compensated items.
Key Facts
- Over 200,000 CVEs are in the NVD catalog; 25,000+ new CVEs are added annually
- Fewer than 5% of CVEs are ever actively exploited in real-world attacks
- The average enterprise has 500,000+ open CVE exposures across its full connected device estate
- Risk-based prioritization with KEV and EPSS reduces actionable backlog by 87% versus CVSS-only approaches
How ORDR Addresses Vulnerability
ORDR identifies vulnerabilities across every discovered connected asset, correlates them with KEV status, EPSS probability, and asset context, and surfaces the prioritized subset that requires immediate attention. For unpatched devices, ORDR recommends compensating controls — segmentation, enhanced monitoring, access restriction — that reduce exploitation risk without requiring a device update.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.